Property encryption
The Onegini Statistics Engine uses etcd for its configuration. All (sensitive) values stored in etcd can be encrypted. This topic guide will guide you through the actions related to property encryption.
Configure the property encryption password
The encryption password can also be set using etcd.
Property | Required | Description |
---|---|---|
/statistics-engine/common/property-encryption-password | true | The password that is used to encrypt and decrypt property values in etcd |
Note: It might sound insecure to store the property encryption password in etcd. Since the password is only required during startup it only needs to exist for a few minutes. Etcd provides means to automatically remove properties after a specified amount of time has passed by setting a time-to-live (ttl) option with a number of seconds that the key must exist.
A value with ttl can be specified using the following command:
etcdctl set /statistics-engine/common/property-encryption-password 'dummyValue' --ttl '300'
The command above specifies that the
/statistics-engine/common/property-encryption-password
key with valuedummyValue
will exist in etcd for 300 seconds or 5 minutes.
Encrypt property values
The open source library Jasypt
is used for this. Onegini uses a strong encryption algorithm, which is not present in the standard JRE security provider
implementation. For this reason we use the BouncyCastle
security provider implementation.
Install the Jasypt library
You can download Jasypt
from their website.
Untar the library into a directory of your choice, e.g. the /opt
directory.
Install a custom Java Cryptographic Provider
BouncyCastle
is necessary for encrypting properties since the algorithm that is used is not included in the standard Java cryptographic provider.
Download the bouncy castle jar.
Move it to the lib folder inside the extracted Jasypt archive.
Note: Java including the Java Cryptographic Extensions is required in order to encrypt properties. Check this blog for instructions on installing the proper JCE for your java version.
Encrypt property values
It is possible to encrypt properties such as passwords. The steps below describe how to do this. All properties are encryptable. Navigate to the directory where the Jasypt library is installed.
cd <JASYPT_PATH>/jasypt-1.9.1/bin/
Generate a master password either using a password generator or the following command:
openssl rand -hex 32
Next, execute the following command:
./encrypt.sh providerClassName="org.bouncycastle.jce.provider.BouncyCastleProvider" algorithm="PBEWITHSHA256AND256BITAES-CBC-BC" verbose="false" password='<MASTER_PASSWORD>' input='<TEXT_TO_ENCRYPT>'
Note: Don't forget the master password is needed when starting / stopping the Statistic Engine instance(s))! See: configure the property encryption password
If the password or the input contain a single quote you will need to provide each separate single quote with the following sequence: "'"
When the above command is executed the encrypted property value is printed to the screen. The last step is to configure the encrypted value as the actual value
in the etcd. The value has to be surrounded by ENC(<ENCRYPTED_VALUE>)
. Below is an example of an encrypted property value:
etcdctl set /statistics-engine/common/some-property "ENC(6sCtMDYFi5MhTfRk9x6tzVuc/TouSqLnTsajxGdOq/4=)"
You can verify the encryption by running:
./decrypt.sh providerClassName="org.bouncycastle.jce.provider.BouncyCastleProvider" algorithm="PBEWITHSHA256AND256BITAES-CBC-BC" verbose="false" password='<MASTER_PASSWORD>' input='<TEXT_TO_DECRYPT>'